Analysis
-
max time kernel
148s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
-
submitted
14-05-2024 15:42
General
-
Target
dffc83be30add96232b3b63c25cbfc4874904cd04fd2658d0ecd5979a7caa40a.exe
-
Size
479KB
-
MD5
1f9ac4a621d3726993ba2f185215879a
-
SHA1
e412c6fce79cee62a7b2c806be2c85c1386010a1
-
SHA256
dffc83be30add96232b3b63c25cbfc4874904cd04fd2658d0ecd5979a7caa40a
-
SHA512
9d6dba40bcb85fa4209ac33f45c1c2b36e714a3438827f45effb3fce1f8110e2b015ee5d6df9d80afa9baced1af0dd486e14ff6cd2c30cbf67d9e705f6802be1
-
SSDEEP
12288:RMriy90lIiKadmmqiVkFpziI3NM0oPiiimcr:DyEZKIzoZNM0oPii/W
Malware Config
Extracted
redline
dimas
185.161.248.75:4132
-
auth_value
a5db9b1c53c704e612bccc93ccdb5539
Signatures
-
Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 2 IoCs
-
Executes dropped EXE 3 IoCs
-
Windows security modification 2 TTPs 2 IoCs
-
Adds Run key to start application 2 TTPs 2 IoCs
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
-
Suspicious use of WriteProcessMemory 9 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\dffc83be30add96232b3b63c25cbfc4874904cd04fd2658d0ecd5979a7caa40a.exe"C:\Users\Admin\AppData\Local\Temp\dffc83be30add96232b3b63c25cbfc4874904cd04fd2658d0ecd5979a7caa40a.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y6764497.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y6764497.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k4110454.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k4110454.exe3⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\l4715928.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\l4715928.exe3⤵
- Executes dropped EXE
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
307KB
MD512592ef02a0a48445396dddaf91aee0a
SHA1e8296de6882bdb50624b825fbde434ad4a991804
SHA256b1bd17b0e046bec70c0b94d5cb6e46b39d031f5acc9dc26fa2740b13af75812a
SHA5129655d14e85c2ba788a935a2d9029f3c25ab0410e6ab778a52b8369f017652b50a25474c8f981753876e43b6d168f477ce04f916703d7088286c7aa77262e3b3b
-
Filesize
185KB
MD53e630811e041742e84b8ea3e59c277d1
SHA18a9c6d88e0d8ce0bd9e03658fa832d238a5eccd1
SHA256960b92763e28e9b1ff62f7b8774351557c3abbf50adf9255ab5767b2851dd20b
SHA5128d8c4d270f3c4ed32a0dbd0d07e5bd67c8cee508870a8b0a814b17e3c6255e9439054b62cde1d9b293ac50ab37fc10c63cdeccb33f65e6197fd5e7327432685e
-
Filesize
145KB
MD58db0f10af9ce05079ff035fa7cf73c32
SHA10bdec117579e905f21013f7fd0a9ec6532e8cc16
SHA256655e588b3f08e12286257b63c7b283c7ae12076473de7c22a8a327ca80fd50c7
SHA51241be1385b8febcc577c3ab6eee8baa644e6451286e66b840710dc381ca51be0500b780840423c3e8051795a9d31820a7d59f6f035d6501ab0e46e61f26abd7b9
-
Filesize
92KB
-
Filesize
584KB
-
Filesize
92KB
-
Filesize
112KB
-
Filesize
92KB
-
Filesize
7.7MB
-
Filesize
92KB
-
Filesize
92KB
-
Filesize
92KB
-
Filesize
92KB
-
Filesize
92KB
-
Filesize
92KB
-
Filesize
92KB
-
Filesize
120KB
-
Filesize
5.6MB
-
Filesize
7.7MB
-
Filesize
92KB
-
Filesize
92KB
-
Filesize
92KB
-
Filesize
92KB
-
Filesize
92KB
-
Filesize
7.7MB
-
Filesize
4KB
-
Filesize
168KB
-
Filesize
6.1MB
-
Filesize
1.0MB
-
Filesize
72KB
-
Filesize
240KB
-
Filesize
304KB